[BUG] npm-ci failes if dependency with ^ has a new release that satifies

[SvenLie]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When a dependency of one of my dependencies has an entry like "semver": "^7.3.4" and i installed it when version 7.4.0 was out. When i then run npm ci all its fine. When the package released in a new version like 7.5.0 npm ci failes with:

npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR! 
npm ERR! Invalid: lock file's semver@7.4.0 does not satisfy semver@7.5.0

Expected Behavior

npm ci should install version 7.4.0 of this package

Steps To Reproduce

1. create an package with version 1.0.0
2. add this as an dependency of one of your packages with "^1.0.0"
3. release a new version like 1.1.0
4. run npm ci in your project with the dependency --> error occurs

Environment

• npm: 9.6.4
• Node.js: 18.15.0
• OS Name: macOS

[wraithgar]

I can't reproduce this.

[SvenLie]

Hey, thank you for trying. I added my package.json and package-lock.json as attachement (npm-files.zip). When you run "npm ci" with this project the following error will occur:

npm ERR! code EUSAGE
npm ERR!
npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR!
npm ERR! Invalid: lock file's semver@7.4.0 does not satisfy semver@7.5.0
npm ERR!
npm ERR! Clean install a project
npm ERR!
npm ERR! Usage:
npm ERR! npm ci
npm ERR!
npm ERR! Options:
npm ERR! [-S|--save|--no-save|--save-prod|--save-dev|--save-optional|--save-peer|--save-bundle]
npm ERR! [-E|--save-exact] [-g|--global]
npm ERR! [--install-strategy <hoisted|nested|shallow|linked>] [--legacy-bundling]
npm ERR! [--global-style] [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
npm ERR! [--strict-peer-deps] [--no-package-lock] [--foreground-scripts]
npm ERR! [--ignore-scripts] [--no-audit] [--no-bin-links] [--no-fund] [--dry-run]
npm ERR! [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
npm ERR! [-ws|--workspaces] [--include-workspace-root] [--install-links]
npm ERR!
npm ERR! aliases: clean-install, ic, install-clean, isntall-clean
npm ERR!
npm ERR! Run "npm help ci" for more info

[wraithgar]

It would seem that npm-force-resolutions is doing things before npm gets to your tree that throw it off.
rogeriochaves/npm-force-resolutions#16 (comment)

[diminutivesloop]

@wraithgar Any details on how to avoid this happening in the future? I just encountered this with a project I work on after ts-essentials@9.4.1 was released. Running npm install fixed the issue and I couldn't come up with a minimal reproduction so it must have been due to interactions with some other dependencies. If it's not a bug with npm cli then there needs to be some other way to prevent it from happening because having npm ci fail out-of-the-blue because someone else published a package update is not acceptable.

[wraithgar]

Yeah don't let anything alter the package lock during npm ci

There's not much npm can do to prevent this if folks have scripts that run during install.

[braineo]

We encountered the same issue. Essentially our build and ci pipeline works until a new package is released on npm registry.

We have to npm i all the repositories to update the package-lock file to keep the work going on. like @diminutivesloop mentioned, is there any way to prevent this from happening again?

in our example, we have tslib as a hoisted dedup package at the node_modules/tslib and this package is an indirect dependency. however npm ci fails after tslib publishing a new version

the behavior is also reported in

#6787 (comment)